I am just back from a trip to New Delhi (along with my colleague, Prabhash Dhyani). The weather was quite hot and humid. Amidst flight delays and apparently unstoppable Delhi traffic, we managed to meet up with some interesting folks and exchanged several ideas. You may be wondering what this has got to do with a security blog, hold on, you will soon find out!
Recently, I was volunteered (yeah, volunteered :)) to conduct an IT & wireless security training/workshop to some folks at Delhi. The group involved an interest mix of IT administrators, users and systems analysts. This blog article is a collection of reminiscences from the workshop. The first portion of the workshop involved a high level discussion on Internet based threats and how to handle them. Specifically, we looked at the Firewalls, NACs, IDS/IPS and web security. The second portion of the training focused completely on how wireless changes the enterprise security game. We demonstrated how technologies such as the above (e.g., firewalls, NAC) can be bypassed by wireless backdoors. For example, it is easy to capture sensitive information such as user names and passwords when an Open AP is connected to enterprise network. Further, I could almost hear the attendees gasp when we showed how easy it is to crack the WEP key (within minutes) using the PTW attack. OK – Open and WEP are insecure, but, what about WPA and WPA2? The bad news is the WPA-PSK and WPA2-PSK is vulnerable to dictionary attacks and online “services” are there to “help” attackers. Further, TKIP is vulnerable to packet injection attacks as was demonstrated recently. At this point, everybody got convinced that each of the above technologies have some or the other issues. Hence, any WLAN deployment needs to preferably use the “most secure” WPA2-CCMP configuration available today (Note: In the security world, a protocol is secure till it is broken).
So far, so good – we have learnt how to configure our WLAN in a secure way. Is this good enough? Am I safe if I “ban” Wi-Fi in my organization? Several of the attendees answered this in affirmative. Unfortunately, this shows that we do not appreciate threats due to unmanaged wireless devices yet. Example threats include Rogue APs, soft APs, adhoc connections, evil twin/honey pots and Denial of Service (DoS) attacks. We demonstrated how such unauthorized devices can be easily setup/deployed without giving any clue to a network administrator that is relying solely on wired security tools. Consumer-ization of wireless takes this attack one step further (recall Windows Virtual Wi-Fi Honeypot). We explained why conventional mechanisms such as Wired IDS/IPS and NACs cannot block such threats. At the end of this session, the attendees almost concluded that “wireless is hopeless and helpless”. It was high time to talk about best practices and defense measures and that’s exactly what we did. We educated the attendees on the importance of over the air monitoring, quarterly scans and the advantages of an automated tool such as a Wireless IPS in fighting this problem. At the end of the day, people seemed to get to the right conclusion – deploy wireless, but, secure it via several layers of defenses such as strong cryptographic security, 802.1X and Wireless IPS.
Thus ended a fine day in New Delhi – looking forward to hear how you are battling with the increasing wireless threat scenarios.